stargravy

I’ve been out of practice for CTFs as of late, but SEC-T just ran a short but fun CTF that had a number of quick problems which I thoroughly enjoyed. Here I will focus on Admin I & II, both XSS problems created by Mathias Karlsson.

Admin I — Web 100

Can you alert(1) this page (in firefox)?

Sure, I’ll take that challenge: the page asks if you can achieve an xss of alert(1) and gives you a link with the injectable parameter (http://xss1.sect.ctf.rocks/?xss=stuff). The resulting script on the page looks like this:

<script>
dontrunthisscript();
var a = “stuff”;
</script>

No matter what you inject to replace “stuff”, you will find that the code will not run since it attempts to call dontrunthisscript()first, which isn’t defined. Additionally the “<” character was filtered out, so we couldn’t just make our own new <script> block :( .

This was the third challenge I attempted in the great ctf run by @SEC_T_org. It dealt with an issue I’d been interested in for a while: Overly permissive S3 buckets on Amazon AWS.
An issue seen in a number of S3/AWS configs is the “Any Authenticated AWS User” permission. It allows access not just to AWS users authenticated to your account but to any authenticated AWS users period.

This one was pretty quick, but lots of fun. The initial file is a packet capture showing a number attempted GETs and DNS queries. Looking at the subdomains I noticed that they seem to be made up of hex values.

This challenge was pretty fun, there were a couple of dead ends/tricks.

The first step was to take a look at the packets. You can quickly notice that a ton of files are being grabbed using Wget (seen in the user-agent below). These can be exported using Wireshark’s File -> Export Objects -> HTTP.

The request URI shows what to expect in the files you extract from the packets.

So, I tried a couple of different things with this challenge before just finally just scripting/brute-forcing my way through it.

Initially, while looking at the problem in Bokken (A cool GUI for radare2, a nice free alternative to IDA pro) I found the addresses of all of the compares which would allow me to bypass any sort of check on the inputs. Setting breakpoints in GDB and appropriately setting the Zero Flag when the program is doing a comparison before a jump.

When you first run rock you just get a blank prompt. Input a couple of characters and you get a couple of quotes from the talented Dwayne “The Rock” Johnson, and a message saying “Too short or too long” unless you guessed (or checked) the right length.